Within the Templafy Hive platform we use three JWT tokens, the Refresh Token, the Templafy Desktop Refresh Token and the Access Token, to manage the authentication and authorization for the Templafy clients.
How does JWT work?
Every time a user logs in to Windows, Templafy Desktop starts and tries to perform a login in the background.
If this is successful, JSON Web Tokens (JWT) are stored (encrypted) in the windows registry.
The encryption/decryption key is stored in Windows Credential Manager.
As of Templafy Desktop Client version 3.4.75, there are 2 refresh tokens issued by Templafy Desktop Client. Templafy Desktop Refresh Token and a Refresh Token that is used by the Add-ins. The Templafy Desktop Refresh Token is used to synchronize updates to add-ins securely. The Refresh Token utilized by the VSTO Add-ins is used to access relevant content.
The lifetime of Templafy Desktop Refresh Token is set to 30 days.
The Refresh Token utilized by the VSTO Add-ins is for SSO protocols set to 24 hours. For email authentication the token has a lifetime of 14 days. The Refresh Token can also exist as a cookie for web application and web add-ins. Its lifetime is by default set to 24 hours.
The Windows Credential Manager is a safe storage that can only be accessed by a Windows user for whom the credential was created, while they are logged in, and not by other Windows admins on the
Additionally, a RefreshKey is stored in Global Registry to validate the token. This offers
Templafy the option to invalidate the Refresh token by deleting the RefreshKey if necessary.
The Access token is part of the authorization flow, granting the user access to the Templafy tenant. The Access token has a lifetime of 5 minutes and will automatically be re-issued when accessing restricted resources.
Templafy Desktop will try to log in at every start-up and attempt to reauthenticate after midnight, if the
process is still running (load is distributed in the first hour after midnight).
If the computer is shut down, hibernating, or sleeping, it will try to renew the token when the computer first starts/resumes. The same pattern is used to check for updates to add-ins.
Templafy Office add-ins:
If a user starts Office and there is a valid refresh token, this is used to authenticate the user to
Templafy, so a full login is avoided.
If there is not a valid refresh token, then the Office app will do a full login.
After a successful login the Office add-ins save the refresh token. The refresh token is valid
for the next 24 hours or 14 days depending on whether the authentication method is SSO or
Unlike in Templafy One, the sliding window is not applicable for the Hive platform.